Details of VAR-201402-0236

ID

VAR-201402-0236

CVE

CVE-2014-1960

TITLE

SAP NetWeaver of Solution Manager Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2014-001410

DESCRIPTION

The Solution Manager in SAP NetWeaver does not properly restrict access, which allows remote attackers to obtain sensitive information via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications

Trust: 2.61

sources: NVD: CVE-2014-1960 // JVNDB: JVNDB-2014-001410 // CNVD: CNVD-2014-01097 // BID: 65543 // IVD: 3e1d81b4-1eea-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3e1d81b4-1eea-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01097

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver solution manager	scope:	eq	version:	7.0	Trust: 3.0
vendor:	sap	model:	netweaver solution manager	scope:	eq	version:	7.1	Trust: 3.0
vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 1.4
vendor:	netweaver	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	netweaver solution manager	model:	-	scope:	eq	version:	7.0	Trust: 0.2
vendor:	netweaver solution manager	model:	-	scope:	eq	version:	7.1	Trust: 0.2

sources: IVD: 3e1d81b4-1eea-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01097 // JVNDB: JVNDB-2014-001410 // CNNVD: CNNVD-201402-203 // NVD: CVE-2014-1960

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1960
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-1960
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-01097
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201402-203
value:	MEDIUM
Trust: 0.6
IVD:	3e1d81b4-1eea-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2014-1960
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-01097
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	3e1d81b4-1eea-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 3e1d81b4-1eea-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01097 // JVNDB: JVNDB-2014-001410 // CNNVD: CNNVD-201402-203 // NVD: CVE-2014-1960

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-001410 // NVD: CVE-2014-1960

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-203

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201402-203

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001410

PATCH

title:	Acknowledgments to Security Researchers	url:	http://scn.sap.com/docs/DOC-8218	Trust: 0.8
title:	SAP NetWeaver Solution Manager has patches for unclear security bypass vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/43737	Trust: 0.6

sources: CNVD: CNVD-2014-01097 // JVNDB: JVNDB-2014-001410

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1960	Trust: 3.5
db:	SECUNIA	id:	56942	Trust: 2.2
db:	BID	id:	65543	Trust: 0.9
db:	CNVD	id:	CNVD-2014-01097	Trust: 0.8
db:	CNNVD	id:	CNNVD-201402-203	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001410	Trust: 0.8
db:	IVD	id:	3E1D81B4-1EEA-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 3e1d81b4-1eea-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-01097 // BID: 65543 // JVNDB: JVNDB-2014-001410 // CNNVD: CNNVD-201402-203 // NVD: CVE-2014-1960

REFERENCES

url:	http://secunia.com/advisories/56942	Trust: 2.2
url:	https://service.sap.com/sap/support/notes/1828885	Trust: 1.6
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.6
url:	http://erpscan.com/advisories/erpscan-14-004-sap-netweaver-solution-manager-missing-authorization-check-information-disclosure/	Trust: 1.4
url:	https://erpscan.io/advisories/erpscan-14-004-sap-netweaver-solution-manager-missing-authorization-check-information-disclosure/	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/91093	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1960	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1960	Trust: 0.8
url:	http://www.securityfocus.com/bid/65543	Trust: 0.6

sources: CNVD: CNVD-2014-01097 // JVNDB: JVNDB-2014-001410 // CNNVD: CNNVD-201402-203 // NVD: CVE-2014-1960

CREDITS

Evgeny Neyolov, ERPScan.

Trust: 0.3

sources: BID: 65543

SOURCES

db:	IVD	id:	3e1d81b4-1eea-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2014-01097
db:	BID	id:	65543
db:	JVNDB	id:	JVNDB-2014-001410
db:	CNNVD	id:	CNNVD-201402-203
db:	NVD	id:	CVE-2014-1960

LAST UPDATE DATE

2024-11-23T22:18:38.562000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01097	date:	2014-02-20T00:00:00
db:	BID	id:	65543	date:	2014-02-18T12:27:00
db:	JVNDB	id:	JVNDB-2014-001410	date:	2014-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201402-203	date:	2014-02-18T00:00:00
db:	NVD	id:	CVE-2014-1960	date:	2024-11-21T02:05:21.350

SOURCES RELEASE DATE

db:	IVD	id:	3e1d81b4-1eea-11e6-abef-000c29c66e3d	date:	2014-02-20T00:00:00
db:	CNVD	id:	CNVD-2014-01097	date:	2014-02-20T00:00:00
db:	BID	id:	65543	date:	2014-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-001410	date:	2014-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201402-203	date:	2014-02-18T00:00:00
db:	NVD	id:	CVE-2014-1960	date:	2014-02-14T15:55:07.437